Python-slack-sdk: SSL Certification error

Created on 7 Jul 2018  Â·  33Comments  Â·  Source: slackapi/python-slack-sdk

Description

I've built a bot in python 3.7 using a virtual engine, when I come to run the code I get this error:

/Users/sophie/Dropbox/Programming/gallagherbot/lib/python3.7/site-packages/urllib3/connectionpool.py:857: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
Traceback (most recent call last):
  File "/Users/sophie/Dropbox/Programming/gallagherbot/lib/python3.7/site-packages/slackclient/server.py", line 179, in connect_slack_websocket
    http_proxy_auth=proxy_auth)
  File "/Users/sophie/Dropbox/Programming/gallagherbot/lib/python3.7/site-packages/websocket/_core.py", line 494, in create_connection
    websock.connect(url, **options)
  File "/Users/sophie/Dropbox/Programming/gallagherbot/lib/python3.7/site-packages/websocket/_core.py", line 217, in connect
    options.pop('socket', None))
  File "/Users/sophie/Dropbox/Programming/gallagherbot/lib/python3.7/site-packages/websocket/_http.py", line 126, in connect
    sock = _ssl_socket(sock, options.sslopt, hostname)
  File "/Users/sophie/Dropbox/Programming/gallagherbot/lib/python3.7/site-packages/websocket/_http.py", line 253, in _ssl_socket
    sock = _wrap_sni_socket(sock, sslopt, hostname, check_hostname)
  File "/Users/sophie/Dropbox/Programming/gallagherbot/lib/python3.7/site-packages/websocket/_http.py", line 232, in _wrap_sni_socket
    server_hostname=hostname,
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 412, in wrap_socket
    session=session
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 850, in _create
    self.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 1108, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1045)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/sophie/Dropbox/Programming/gallagherbot/lib/python3.7/site-packages/slackclient/client.py", line 52, in rtm_connect
    self.server.rtm_connect(use_rtm_start=with_team_state, **kwargs)
  File "/Users/sophie/Dropbox/Programming/gallagherbot/lib/python3.7/site-packages/slackclient/server.py", line 147, in rtm_connect
    self.connect_slack_websocket(self.ws_url)
  File "/Users/sophie/Dropbox/Programming/gallagherbot/lib/python3.7/site-packages/slackclient/server.py", line 186, in connect_slack_websocket
    raise SlackConnectionError(message=str(e))
slackclient.server.SlackConnectionError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1045)

Connection failed. Exception traceback printed above.

This seems similar to this: https://github.com/slackapi/python-slackclient/issues/325 but I tried the User's suggestion and it hasn't changed anything.

I have the bot's 'Bot User OAuth Access Token' stored as a variable which I refer to in the code

Any suggestions?

Describe your issue here.

What type of issue is this? (place an x in one of the [ ])

  • [x ] bug
  • [ ] enhancement (feature request)
  • [ ] question
  • [ ] documentation related
  • [ ] testing related
  • [ ] discussion

Requirements (place an x in each of the [ ])

  • [x ] I've read and understood the Contributing guidelines and have done my best effort to follow them.
  • [x ] I've read and agree to the Code of Conduct.
  • [x ] I've searched for any related issues and avoided creating a duplicate issue.

Bug Report

Filling out the following details about bugs will help us solve your issue sooner.

Reproducible in:

slackclient version:

python version: 3.7

OS version(s):

Steps to reproduce:

1.
2.
3.

Expected result:

What you expected to happen

Actual result:

What actually happened

Attachments:

Logs, screenshots, screencast, sample project, funny gif, etc.

Most helpful comment

This is sloved my problem..

cd /Applications/Python\ 3.7/
./Install\ Certificates.command

All 33 comments

I have run into the same exact problem today. I fixed it by downgrading the websocket-client library to 0.47.0

Are you both using a proxy configuration? If so, it may be that your proxy has a certificate which doesn't have a root in the CA bundle shipping with this package.

If that's the case, I see two options:

  1. we allow turning verification of the proxy server off (this would mean sacrificing an important security feature).
  2. we allow you to supply your own CA bundle, but this will require more work on your part to configure correctly.

0.48.0 of websocket-client appears to have removed the CA bundle actually which I think the problem is. I am on a Mac, I have not had the chance to test this on another OS to see if the load_default_certs for Mac is the problem.

@KoalaTea wow, you're right, and also that's no great.

it looks like https://github.com/websocket-client/websocket-client/issues/413 is the issue where this decision was made. i hope the maintainers of that package will consider reversing this decision. for example, the requests package depends on certifi to provide a CA bundle, which seems like a favorable approach to solve the staleness problem. the current approach is untested for py2 and depends on some very specific system configuration to be done correctly (which seems to be misconfigured at least often enough for a couple users of this package).

i made an issue for my suggestion: websocket-client/websocket-client#451. if the maintainers indicate that they'd merge that change in, we can contribute the code.

Thanks @KoalaTea and @aoberoi for figuring this out, I'm new to programming - so this is awesome!

Also ran into this issue, not sure if work is being done to resolve this or should I just implement a hotfix to my own proj by downgrading the websocket version.

For those of you affected, I think it would be helpful for you to express support of https://github.com/websocket-client/websocket-client/issues/451.

The easiest way would be click through and put a thumbsup reaction on the top comment.

so I am still running into the same issue here, I am new to python and have tried to downgrade the websocket-client library to 0.47.0, but it still returns the same error!
any tips on how to get around this?

I named possible solutions in https://github.com/websocket-client/websocket-client/issues/451#issuecomment-417918570 if you care to try.

Hey,
I just ran into a similiar problem in another project and googling has this as the top result bringing me back.
Doing as you linked fixed the issue.
"./Applications/Python x.x/Install Certificates.command" caused it to work. on versions above 0.47.0

There are a couple of things that can be done: 1. Downgrading the websocket-client library to 0.47.0 2. Or, download the certificate (wget https://www.tbs-certificats.com/issuerdata/DigiCertGlobalRootCA.crt), then set the environment variable export WEBSOCKET_CLIENT_CA_BUNDLE=DigiCertGlobalRootCA.crt

This is sloved my problem..

cd /Applications/Python\ 3.7/
./Install\ Certificates.command

I ran into this issue today and I've tried downgrading websocket-client to 0.47.0, and exported WEBSOCKET_CLIENT_CA_BUNDLE=DigiCertGlobalRootCA.crt on my system. Neither option worked. Any ideas for my system running python 3.7.2 on Ubuntu?

@pancho-villa on Ubuntu, you may want to try apt-get install ca-certificates. If you're using a Python distribution from the default repositories, that package will likely place the required certificate authorities bundle in the directory where Python will expect it to be.

Thanks for the heads up @aoberoi, but it didn't work. I tried it on a Fedora 29 machine as well. I found that I can monkey patch the request to add verify=False to bypass the error for now.

This is sloved my problem..

cd /Applications/Python\ 3.7/
./Install\ Certificates.command

Worked for me too

@hammao @rpujakesuma ,

Thanks for your information.
I encounter same issue, and I tried this option: download the certificate (wget https://www.tbs-certificats.com/issuerdata/DigiCertGlobalRootCA.crt), then set the environment variable export WEBSOCKET_CLIENT_CA_BUNDLE=DigiCertGlobalRootCA.crt, it doesn't work for me.

I would like to know how to execute the command, thank you!

This is sloved my problem..

cd /Applications/Python\ 3.7/
./Install\ Certificates.command

Worked for me too

==============
It is worked after downgrade websocket-client to 0.47.0.

There are a couple of things that can be done: 1. Downgrading the websocket-client library to 0.47.0 2. Or, download the certificate (wget https://www.tbs-certificats.com/issuerdata/DigiCertGlobalRootCA.crt), then set the environment variable export WEBSOCKET_CLIENT_CA_BUNDLE=DigiCertGlobalRootCA.crt

I've also found success setting the Requests or OpenSSL certificates:

# https://docs.python-requests.org/en/msater/user/advanced/#ssl-cert-verification
os.environ['REQUESTS_CA_BUNDLE'] = 'YourRootCertificate.crt'  # Requests
os.environ['SSL_CERT_FILE'] = 'YourRootCertificate.crt'  # OpenSSL
os.environ['SSL_CERT_DIR'] = '/path/to/your/certificates/'

Due to the fact that no changes should be made in this library I'm closing this issue. The workarounds posted above should be explored if you need to remain on v1 of this project. (i.e. You need to use Python 2.7) I'd encourage all others to take advantage of all the new features in v2 by following the migration guide. SSL configuration is better supported in v2. You can take a look at one approach to doing this with the new client in the tutorial.

Build is still broken here with the same error...took me some time to realize it is slack related issue and not a general OS issue...

@AlmogCohen can you provide any more details to your conclusion? I've not been able to discover any issues where the root cause is related to Slack.

Since this package was the official one supported by slack for a long time I do have some expectations for it to work including some accountability to the dependencies it is shipped with. Maybe it is too much to expect that. If it says any websocket-client version is OK, but the client is breaking... It is odd to me.

Also, I did see the v2 SDK and it looks amazing...BUT it is not trivial to shift existing code bases to use it as if it is a drop-in replacement to issues with the v1 SDK. v2 is awesome, but quite different (for good, yet different)

@AlmogCohen I understand now. Thank you for the feedback. I apologize for the frustration that was caused. I've recently taken on this project and will be leading the development efforts moving forward.

Next week I'll be switching part of my focus on bug fixing v1 where it makes sense. Around this same time I'll consider locking down the websocket-client version to the previous 0.47.0 version.

If you can work with Python 3.6+ and would like to use the new v2 SDK. Please open a new issue to let me know if there's anything I can do to ease the migration efforts.

Thank you man for the understanding and support! Good luck with project
support :)

On Wed, May 8, 2019 at 3:19 PM Rodney Urquhart notifications@github.com
wrote:

@AlmogCohen https://github.com/AlmogCohen I understand now. Thank you
for the feedback. I apologize for the frustration that was caused. I've
recently taken on this project and will be leading the development efforts
moving forward.

Next week I'll be switching part of my focus on bug fixing v1 where it
makes sense. Around this same time I'll consider locking down the
websocket-client version to the previous 0.47.0 version.

If you can work with Python 3.6+ and would like to use the new v2 SDK.
Please open a new issue to let me know if there's anything I can do to ease
the migration efforts.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/slackapi/python-slackclient/issues/334#issuecomment-490671348,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AA5VOZTMWMMVC2TK4WAP2MLPUNGVZANCNFSM4FIZ2KAQ
.

--

Almog Cohen

https://htmlsig.com/signatures/01ADE8F6/edit

[image: Linkedin] http://linkedin.com/in/almogcohen
US: (415) 413-6714

This is sloved my problem..

cd /Applications/Python\ 3.7/
./Install\ Certificates.command

Worked for me too

works

that works for me, i've seen it, the aiohttp expects a ssl_context, buuut..
the web_client really needs to avoid this kind of exception, because the ssl parameter is optional in constructor.

import ssl
import slack
ssl_context = ssl.create_default_context()
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_NONE
client = slack.WebClient(token='yourtoken',
                         ssl=ssl_context)

response = client.chat_postMessage(
    channel='#yourchannel',
    text="message, etc..")

How to downgrade to websocket_client 0.47.0 ? i mean what should I write in Mac terminal to get this done ?

Depends on your package management tool - is it pipenv? Is it pip?
Depending on your tool /environment you can set the version of the package

On Sat, Aug 24, 2019, 15:11 Omer-Khabeer notifications@github.com wrote:

How to downgrade to websocket_client 0.47.0 ? i mean what should I write
in Mac terminal to get this done ?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/slackapi/python-slackclient/issues/334?email_source=notifications&email_token=AA5VOZT5M5LBGWFH5SPD2JLQGE6QLA5CNFSM4FIZ2KA2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5CAXZY#issuecomment-524553191,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AA5VOZSNQ2W5HRYE5HA5STTQGE6QLANCNFSM4FIZ2KAQ
.

it is pip

that works for me, i've seen it, the aiohttp expects a ssl_context, buuut..
the web_client really needs to avoid this kind of exception, because the ssl parameter is optional in constructor.

import ssl
import slack
ssl_context = ssl.create_default_context()
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_NONE
client = slack.WebClient(token='yourtoken',
                         ssl=ssl_context)

response = client.chat_postMessage(
    channel='#yourchannel',
    text="message, etc..")

This is what fixed it for me.

How to downgrade to websocket_client 0.47.0 ? i mean what should I write in Mac terminal to get this done ?

pip3 install websocket-client==0.47.0

that works for me, i've seen it, the aiohttp expects a ssl_context, buuut..
the web_client really needs to avoid this kind of exception, because the ssl parameter is optional in constructor.

import ssl
import slack
ssl_context = ssl.create_default_context()
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_NONE
client = slack.WebClient(token='yourtoken',
                         ssl=ssl_context)

response = client.chat_postMessage(
    channel='#yourchannel',
    text="message, etc..")

This worked for me unlike the other proposed solutions here.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

seratch picture seratch  Â·  3Comments

divyatman picture divyatman  Â·  4Comments

avinassh picture avinassh  Â·  3Comments

kompotkot picture kompotkot  Â·  4Comments

naveenjafer picture naveenjafer  Â·  4Comments